I'm interested in knowing if any Elastic detection rules use two different threat frameworks within the same rule.
According to the ECS documentation:
The threat.framework field is defined as a keyword, which suggests it only accepts a single value.
Is it possible for a rule to match more than one framework? How do I address this?
That's not correct, the field is mapped as keyword, but every field can have multiple values on it as there is no dedicated array type in Elasticsearch [documentation]
So you could have something like threat.framework: ["framework1", "framework2"]
And you could have a rule that would match any value like this:
threat.framework: ("framework1" or "framework2")
Hi @leandrojmp! Thank you very much for your response! I understand that even though it's a keyword type, it can even be an array, but its elements must be keywords. Could you give me an example rule that displays this behavior in the framework?
Not sure exactly what kind of example you want and what behavior are you mentioning.
Elastic native integrations uses MITRE only, but the user is free to create rule based on other frameworks.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.